TLS 1.2 enforcement on Azure Cosmos DB

Thomas Weiss

Microsoft Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and make sure that TLS 1.2 is used by default.

Azure Cosmos DB already supports TLS 1.2. To ensure our customers are covered with the best level of security, TLS 1.2 will be enforced by default starting July 29th, 2020 on:

  • new accounts,
  • existing accounts where our records show that client connections use TLS 1.2 exclusively.

This means that any client request that uses a TLS version lower than 1.2 will be actively rejected on these accounts.

If you are currently using a TLS version lower than 1.2 to connect to your existing account, you will not be impacted, and your application will continue to work normally. We still do recommend upgrading your client connections to TLS 1.2. The way to perform this upgrade depends on the platform your client applications run on. TLS enforcement options exist at the operating system and application framework levels. Here are some pointers for you to follow: